The computer is taking the copious amounts of time it does to boot.
I'll start with some giveaways.
I've got some stress balls for everybody.
If anybody wants some.
Here.
I've got some other stuff, too.
Takes up the extra time.
There's some keychains with pocket knives in them, too.
So don't cut each other up, okay?
There you go.
There you go.
All right.
Well, my machine should finish.
I'm going to finish booting up here any second.
I don't want to have to carry this home, so take it all, okay?
I don't want to have to carry any of it back with me.
All right.
Well, what I'm going to show you today, just so I can set your expectations,
everything I'm going to be demoing to you today is relatively simple.
If you are writing your own exploits, if you're doing all sorts of fancy, cool stuff,
then you're probably in the wrong place.
I'm doing a lot of penetration testing and penetration of physical security for machines.
Really, my focus for the talk and actually what I do in real life is protecting physical machines.
Somebody comes, sits down at your machine, wants access to your machine,
making sure that they don't get on there.
That's all you want.
I think that's it for the giveaway.
Sorry about that.
Too late.
Too slow.
Anyway, let me show you.
Let me bring my slides up now.
We good on the other systems?
We need to make sure we have the keyboard plugged in for them, too,
even though we don't use it because it needs to have the power.
All right.
What I'm going to show you today,
here we go, still being slow.
Oh, resolution of my monitor doesn't match up.
Hey, thank you.
It's wonderful when you get to do your first dry run with the AV equipment,
right when you're doing the presentation.
It's always a plus.
Let me change that if my machine decides that it wants to do that, too.
Yeah, it's working.
Yeah, 10-minute startup sequence, exactly.
Try that.
That looks a little bit better.
There we go.
Yeah, I know.
Too much tray, huh?
Yeah.
All right, let's see if we'll do 10-24.
We'll do 800.
All right, here we go.
Let's just get going.
Let's go.
Let's go.
Let's go.
Let's go.
Let's go.
Let's go.
I've got a lot.
lot of junk, don't I? Cheese. Bonus. I should sing or something. Yeah, exactly. Yep, exactly.
Exactly. Boring lull. Wow. You could tell I was on the DEFCON network today. Let's just
switch over here.
All right. Anyway, finally. All right. So what I'm going to do today is show you basically
some lame security methods for protecting information on your machine. Who am I? What
am I? All that good stuff. The audience, I already told you, I'm going to show you pretty
basic stuff. This is not rocket science. I would know that. I do have a degree in astrophysics,
so it is not rocket science, however. This is all crap, just basic stuff. But most of
the people in business, in the real world, don't understand even one or two of these
things, although a lot of you may already. Who am I? I'm Brian Glancy. I already mentioned
that. I run a professional services team in the United States to deploy security countermeasures
to different...
Companies. Let's just leave it at that. Told you what I do. What am I going to do today?
I already told you about that. I'm going to show you some of the different... I'm not
going to show you anything since the switch decided to go out.
My agenda for today. I'm going to show you some bad security measures. I'm going to
show you some stupid things that are built and sold to all sorts of companies, even today.
As security, and are basically stupid. They're only security against really dumb people.
Really give you no way, no protection, no method of keeping your information safe. Nothing
like that. And I'll mention, also towards the end, I'll mention some things that you
can do about it. Some ways that you can actually keep your stuff secure, and you can manage
to keep other people out of your machine. So, when you get raided by this, you're going
to be the Fed panel. They can't actually take all your kiddie porn off your machine,
and all that good stuff. I'm also going to talk a little bit about information gathering
tools. I'm going to talk really simple stuff. Sector editors, in case you guys aren't familiar
with them. Very simplistic. Show you how they work. Show you how you can garnish information
from them. They actually give classes on this stuff, which is kind of scary, as forensic
tools. Just going to show you some basic things about how they work, what they do,
what sort of information you can find, and also why most of the security products that
are sold don't protect at all against most things like that. Then I'll talk a little
bit about countermeasures.
So where did this presentation come from? Last year, I've been to DEF CON for the
last four years. I do a lot of speaking, not usually at, this is my first time speaking
at DEF CON.
But I do a lot of speaking at security conferences for the industry, for business, and things
like that. And I always come to DEF CON. And last year, Bruce was a little bit more
animated than he was this year. And he had a lot to say about stupid security systems.
So I thought about making up a presentation about different things that are sold to people
by our friends at anybody from Microsoft to all different sorts of companies.
I think that's great.
Yeah, well, I do a lot of speaking about security
products, but actually have, you know, do no security whatsoever, because they either
have bad implementations or they don't really protect any information. And the thing that
gave me the title for my speech is really not the TV show, believe it or not. But Bruce's
book, Secrets & Lies, has got a lot of stuff in it about your security only being as true
strong as your weakest link. I want to start off with something, a statement
that was recently circulated around all over the place and a lot of people called me and
asked me about it and a lot of companies have brought it up regarding, this statement is
from Microsoft, this is cut right off their website, I have it posted at the bottom, the
URL for it on the bottom. Basically what their point was, they were getting nailed all the
time about EFS, I know most of you have probably installed or played with or looked at EFS,
and they were getting nailed constantly because people were saying, well, EFS is not really
secure, there's so many tools out there that I can break it with, there's easy ways to circumvent
it, I can steal the certificates, I can attack it in a number of different ways, and Microsoft
basically,
they came back with this response, and what they basically said is, if you have physical
access to the machine, there is absolutely nothing that can be done to keep you out of
the machine. Which is not true. There are solutions that you can do to secure yourself
against, secure your operating system, whether it be something like the steel, or secure
your access to the machine, which there's a lot of different people that have products
and
different pieces that do that. But, Microsoft, of course, does not see that, and
they named a new set of security laws called the Ten Immutable Laws of Security. Now, in
case anybody doesn't know what immutable means, and I didn't know, I had to go look
it up. Unchanging or unchangeable. So, they had the balls to do a press release about
this to the whole world, and say that there was no way that anybody could ever guarantee
guarantee if they have physical access to the system that you cannot have access to
all the information on that system, which I think is rather a stupid thing to say.
But here's the law. If a bad guy has unrestricted physical access to your computer, it's not
your computer anymore. Well, I would agree that it's not your computer, but I would say
it's still your information. I would hope that if somebody comes into my house and takes
my computer, that the information is still mine, and they're not going to be able to
just take it off there and do whatever they want with it or interpret it in any way.
Microsoft followed up with, if the attacker has physical access to your machine, they
can get all the data they want, and you have no method of defense. And I say, develop a
little bit of better security, and then they will have a little bit of a defense.
So who cares about this problem? Who cares about information?
Information on machines. Well, I definitely care about it, and I think that anybody cares
about it, that if you use your computer at home or work for confidential business or
personal use, if you have documents, medical records, whatever they may be, correspondence
on your machine, that you don't want somebody to be able to get that information if they
take your computer, then you care about what happens if somebody has physical access to
your machine. If you travel with a laptop, like a lot of people do these days, how do
you know if your machine is stolen? Are you going to know that nobody has that information?
Now, all of you probably have seen all the wonderful hacking news in the media about
things like executives at Qualcomm losing their laptop and having beyond secret information
about the running of the security infrastructure of the United States on there. All different
sorts of people from financial institutions losing your credit card numbers that are on
their machines and all those wonderful, great things that happen. I think that there's
a lot of different security that can be done to prevent this, but of course, we have to
be educated and companies have to be educated to know that we require this of them, that
they keep our information confidential and that they actually take security measures
to make it so not just anybody can get into anything they want. Okay. So, now we get a
round to some demos. We're heading in the right direction now, and hopefully the KVM
is going to work when I go to switch. What we're going to demo. It is hot. Wow. What
we're going to demo. We're going to demo stuff about biased passwords. I see a lot
of people that use biased passwords. They are the stupidest frigging thing ever invented
in the world. I have no idea why anybody would ever use them or what the purpose of them
was or what the person that wrote them was actually thinking.
And I think the most hilarious thing about it, I think, is that the people that wrote
the biased password utilities quite often are the same people that had to write for
their companies the bias reset utilities for when a user forgets his password, you can
reset the bias to a blank password. It's a really useful security measure when you
can actually even reset it at your whim. So, we're going to show a little bit about
that. Then I'm going to show a little bit about
bootloading.
Some of you may have seen, there's a lot of different boot lockers out there. There
was a product out there that I used to love to rip up by Norton Semantic called For Your
Eyes Only that sucked and was just basically a feeble attempt at a security that you could
hack really easily. They're gone now. They went out of business. But there are still
a lot of other ones. I just actually bought, the one that I'm going to hack, I bought last
week and you're going to see it's pretty dumb.
Then we're going to talk a little bit about file level passwords, any password prompt
that comes up to you inside Windows and what the problems with those are. Then I'm going
to talk a little bit about EFS and what the problems with EFS are.
Our first demo is bias passwords. Let me see what we've got over here with our machines.
All right. Let's see. This computer, we need the, thank you to my wonderful helpers, by
the way. Help for helping me out to run this whole thing and put it all together kind of
quickly. Put the keyboard prompt.
All right. So, a bias password. What does it look like? Let's see if we can switch over.
I'm sure you've all seen them. Assuming the KVM decides it wants to switch.
What cable is that? Four.
One second. Stop reading. It's on the next one.
One second. Yeah, it's doing it right now. Thank you.
Okay, there we go. That's what a bias level password looks like. Pretty easy to use, pretty dumb. It just comes up as soon as you turn the machine on this is the prompting that you get. Lots of machines have
different levels of bias passwords. They have a bias
password that comes on for access of information.
And they also have a bias
level password for changing any of the
information in the bias.
Well, so, what do we
do about this if we are an attacker
and we want to get the information off
this machine? How difficult is it?
Well, I've got
another machine right here.
Do we have a keyboard for this guy?
Okay.
Too much equipment
for one place, huh?
What cable is that?
Is that cable
right here?
Hold on for a second.
Not yet, but it will be
by the end of the day.
Actually, mail it, mail to
bri, b-r-y, at
pointsec.com, and I'll mail it to you.
Or I'll mail you the URL.
Okay, so,
we have our
bias password up. We want to get
the information off that machine.
Well, how do we do it? Well,
I've got another machine that's just like it right here.
Alright, I want
to take the information off this.
I take the machine,
I'm over,
I'm visiting a company, I'm doing whatever,
I want the information off there. I pop
the drive out, it takes me a couple seconds,
comes right out in one hand,
turn off my other computer,
and as you all know,
as soon as I plug this drive
in here,
the bias password is not going to,
uh, port with the machine.
The bias
password is localized
only to
that machine. It's not
localized to the hardware.
Now, there are
a couple, that's a very good point, very good
question. There are a couple companies
out there that make, uh, encrypting
hard drive controllers that link.
And those
companies are doing
a very good job. One of them,
is IBM.
They have a link, uh,
encrypting controller,
and that encrypting controller links
to your bias password. And that's not
bad, but the only big problem about it is what happens
when you lose your password.
That's not a good situation.
So, anyway,
let's see if I can toggle
systems now, to...
...
...
...
...
...
This is my bias
password system. As soon as I plug
the drive into another machine,
it comes right up. I actually had
a CD in there, so
it actually booted to the CD.
That's one of the other demonstrations.
But it will
boot directly to the machine.
So,
basically, the bias passwords,
don't protect any of the information
on the machine. They don't encrypt the information
on the machine except for the specialized bias
encrypting passwords. This one just booted
right up. Now, this is a
WUSI 98 machine. I know.
I just use it for demonstration.
Now, here we go. Let's switch to
back to the presentation
machine here.
Okay.
Okay. So,
bias passwords.
Random people can't just sit down
at your computer and use it.
Bad part is
what happens when you forget your
password? One bad thing.
What you have to do is reset
your bias or pull
the battery off your motherboard.
That's one thing you can do.
Now, the other question is
you can wipe
What am I looking at here?
Can be wiped through motherboard access. We talked about
that. Move the drive to another machine
which is what we just did and you have full access
to the machine. Check the web
for bias password crackers.
There's also a lot of bias password crackers
out there. So, basically, that's no
security at all. So, bias passwords are stupid.
Okay.
Boot lock.
This boot lock program
that I'm going to demonstrate to you today
is
freely available
on the web. Or I shouldn't say freely
available. I paid $29.95 for it.
Actually.
And what it basically
does is it prevents
the normal booting of a machine
by intercepting your
boot sector. Now,
for any of you that know how hard drives
work, when you
turn on your machine, as soon as you turn it on
it reads out your master boot record.
Reads your master boot record,
determines what your active partition is
and then reads that active
partition, that partition
which is marked active.
Reads the boot code off
the boot sector off the beginning of that
drive. That's where this
whole thing comes into play.
They actually start up as soon as you
try to load from that drive
and they
prevent you from just getting
in. They look pretty
simplistic. All they do
Drive back in this one?
Yeah. Good. All they really
do is
when you boot them up
they
give you a password. Some of them
have passwords for multiple people.
They have the ability to let administrators
get in. They have the ability to do
all different sorts of cool things
like that. Real
problem is
they don't have
anything
linking, any security linking to them on
the back end that would prevent you
from bypassing them. You could do
anything from rewriting the boot
sector, which is really easy,
to just booting
off of the disk, which is
really the easiest thing to do in this
situation. You could take a boot
floppy, you drop a little sucker
in there, it'll come right up
and it'll work for you.
Let me show you what these guys look like.
Two.
Hey.
It's deciding to work a little quicker
now. Three.
Three's not working yet.
Is that four or three?
Four. Sorry about that.
Keyboard error.
Yeah, blah.
Oh, that's our
bias password. Okay.
Yeah, let me switch it.
All right.
Here we go.
That must take so much longer.
All right.
So here's my computer booting up.
Booting up off the hard disk.
Hard drive. And the first thing that we
get is the intercepted boot
code. And it prompts us
with the bias password.
With the, pardon me, the boot
locker password.
Now, this password
is a little bit better than the bias one that we just
tried to defeat. In that
it is ported with the hard drive. It's
actually modifying the hard drive.
So if we take the drive out, we're
still going to have this security when
we go on to the next computer.
But it's not
really any better.
Because if we put a floppy disk
in it, which I think we have our
floppy disk rate. Is this bootable?
No, I can, it doesn't matter.
As soon as we boot it to a floppy,
it's going to come up. Oh, you're right.
Oh, that's the machine.
As soon as we boot it to a floppy,
we can have all of the information
out of it. Because
we're not actually encrypting the information,
protecting the information, or protecting the
partition table, or any of that
good stuff. All we're doing
is making it harder to
boot the computer. So
this doesn't really protect us either.
And we're also still,
we still have the regular problems
with what
happens if we forget our password,
what if we want to do reset,
all that good stuff. This is a bootable
CD that I just dropped in here.
As soon as I drop the bootable CD in,
you'll notice that
even though I've got that boot lock
product installed on here,
I go to my C drive,
I do a directory,
there's all my files.
So I can copy any file I want off here,
I can do anything I want to the machine,
there's no access control whatsoever.
Now this is the same
situation, there's a lot of products out here that
fall into this area.
And there's a lot of people that spend a lot of money,
way too much, on buying them.
There's products like Norton Free RIs Only that I mentioned,
there's this boot locker, and basically if you go on the web
and you do a query for a boot lock,
you're going to find a lot of different people that sell
this sort of thing, but it's pretty much junk.
It doesn't really give you any security,
easy to get around,
doesn't really protect you from anybody that knows what they're doing.
So, what do we do from there?
Pardon? Question?
The question was, with Norton Free RIs Only,
you actually couldn't see the C drive when you boot it up.
That's correct.
But if you rewrote the partition table,
you could see the C drive.
Fdisk slash MBR.
Yes, you could do it with Fdisk slash MBR,
or you could do it with something like Disk Edit
from Norton Utilities, which is what I usually use.
It works a little bit more
controllably, reliably.
It's not in Microsoft, that sort of thing.
Here we go.
So, with that, what have we done?
So, so far, we've circumvented a bias password system.
We've circumvented a boot lock system.
Now, the boot lock was easy to circumvent just because it didn't really have a lot of
back-end security.
Now, it's a true point that Norton Free RIs Only had a little bit more security, but it
actually doesn't have security against the next set of tools, which we're talking about,
which are sector editors.
Sector editors can retrieve all the information off the machine, regardless of whether you
mess up the partition table or not, because it just reads the information directly off
the machine.
All your file structures are there.
All the file beginning and ending, all that stuff is there, and you could easily get it
off and copy it to a floppy and take whatever you want.
So, boot locks, not really a good idea.
File encryption.
There's a lot of different things out there for file encryption, and I'm going to show
you a couple different things.
A lot of these things you may know, some you may not.
The bad thing about file encryption, and basically all security products that run inside
Windows after the operating system has started.
Is that they're cursed with having to run in a multi-tasking environment.
So as soon as you start up Windows, or whatever operating system you're talking about, and
you have a product that asks you for authentication, you have an opportunity to have another product
attacking, or another program attacking that authentication scheme.
So as long as you're using regular passwords and you're not using something like smart
cards or two-factor authentication.
You're open for a lot of security.
You're open for open season on attacking that program.
You also have another problem with things like file encryption, which is recovery, lost
passwords.
Also you have an assurance problem, which is a big problem for people that have secure
information that they want to make sure stays secure.
How do you know that they haven't been able to break it?
And you really don't have a way.
If they can take the file away with them and work at it on their leisure, then you have
no way to guarantee.
Your only real way is to make sure that they can't get in the file system at all.
So what am I going to show you on that?
So file encryption, it allows you to protect your information with strong encryption.
Weakest link is that it runs in a multi-tasking environment.
Password security is only as strong as the password, which is true.
So I'm going to show you some of the different tools you can use to attack it.
There are some possible mitigations.
Things like dynamic tokens.
X9.99.
Challenge and response tokens, which I don't know if some of you guys are familiar with.
They're basically hardware tokens with an encryption scheme built into them.
So you have to have the token in order to authenticate against your machine.
There's also smart cards that you can authenticate against your machine.
And if you don't have the key that's burnt into that smart card, you can't access the
information.
So if, for example, a good example would be if you encrypted on a smart card and you put
that information on your machine.
But you took the smart card and you had it in your pocket, somebody could run off with
the machine and do whatever they wanted to do.
And they wouldn't be able to decrypt it unless they had the actual physical key that you
had.
USB tokens, another good example.
They have some weaknesses also.
They have been attacked in a couple different ways.
But generally they're pretty darn good.
There's also biometrics and things like that.
Let's look a little bit at what these things do and how to attack.
All right.
Well, we've got a couple different things here.
First thing we can take a look at is basically how to attack a file with a Windows password
prompt.
Let's look at that.
Here we go.
Okay.
I'm going to open up a file now that has been protected. This is just a simple demonstration
of a password. If we open up this document, this is a protected Word document now. It's
protected against change. When I try to unprotect it, it's going to give me a password prompt
in just a regular box, and we're going to use that for our demonstration. There's lots
of other things you could hack against. I often demonstrate this in hacking against
the PGP Windows prompt where you can do a passphrase. That's another good example. This
is a pretty simplistic one. Let me show you how this guy works. As soon as you go to unprotect
this guy, it pops you with an authentication.
This authentication screen is a screen in itself. You notice it floats around. It does
all the good stuff. If you're a programmer out there, you know that this box has controls.
It's got a name. It's got a box. It's got different actions that can perform against
it. You could, of course, snoop this box, which I'll show you in a second. You could
find out what all the controls are doing, anything that's being entered in here. I'm
going to show you in a second.
Even when it enters star, star, star, of course, you can get it to reveal all that because
it has to broadcast it as part of the control. That's rather an obvious thing, but I'll
show it to you in a minute anyway. Generally, let me show you an attack on this guy. This
box is up. We're going to now find my... Actually, let's just do it this way.
We're going to run an old program. Works really, really good, though. It's called Claymore.
You can get it on all the good hacking sites, hackers.com, all over the place. Works really
well, really, really well, and it's really, really easy. That's why I like to demo with
it. Let me show you what it does. Basically, what Claymore is is it's a very simplistic
program that allows you to...
Use dictionary attack or random character generated brute force attacks. What it does
is it gets the focus of a window, and then it just throws passwords at it until it's
successful. There's lots of different ones of these utilities. It's actually not that
hard to even write one of these because all you're doing is going through a file, reading
the output, and then sending it out to the screen. It's not hard at all. It's really
simplistic.
Let me show you how this works.
Let me show you how this guy works. If I choose a file, I'm going to choose a dictionary
file for this. This has got a whole bunch of different passwords in it. It could be
a dictionary file like userdict off the internet. It could be my... There's lots of different
Linux password crackers that use large dictionaries that you can get off the internet. This dictionary
file is not that big because it's only for the sake of example, but you can get really
huge ones.
I then entered the strokes that I wanted to do after it enters its password. It goes
through the entries one at a time, enters the password, and then it does these keys
to finish up.
I could also have a whole set of keys that it has to do. It has to hit control F1, switch
around, change window focus, do a whole bunch of things before it runs. In this case, it's
pretty simplistic. What it's going to do is it's going to go through these words one
at a time.
I hit start. It's going to start counting down. It's going to go through these words
one at a time, then I point it at what I want it to break. I point it right here. It's
going to count down and then it's just going to start going crazy on that window and throwing
passwords until it gets in. It got in pretty quick. You notice if I let it keep running,
you're going to see all the passwords that it's throwing at it. It throws them fast,
fast, fast, fast. This is, it's running pretty slow because it's running inside Word.
I did it in a text editor, you see it even runs faster than this. It just goes through
until it finds the password, and then it'll actually just keep going anyway.
But you can use that against anything that has
a Windows password prompt. Anything. Doesn't matter what it is.
Unless they're smart enough to put something in like a
maximum number of attempts, something like that. Other than that, you can
use this against that. And you'd be surprised how many things don't put maximum level
of attempts. The other good countermeasure to this when you're programming
is putting in the time limitations. But you can account for that
in this. You could restart
open the document again, or something like that. You could have a new
setup sequence in the beginning of the document to close it and then open it again.
And then you may get around the timeout. You may not have to wait 30 seconds or whatever.
So this is a simplistic thing. The next thing
I'm going to show you also to go with this that's also simplistic
is what I was just talking about. And that is the
sniffer for Windows.
Again, this is just a regular hacker tool that you can get off hackers.com.
You can get it all over the place. It's actually just a
small, almost like a VB debugging
type of tool. Because you'll notice if I put this up
here,
this is the window that reads
my
text out, right? If I take this cursor and I put it across
anything that's a control, you'll notice that it's going to bring up
what that control does. Check for update, about. That's the name of the
control. All these things are broadcasted. If I bring it up here on top of
the password there, it tells me that the password that I entered under
all those stars is defcom. This works really well for anything that
stores a password if you forget your password.
Your password for anything. And it comes up, star, star, star. It will always decrypt that.
There are a couple companies that have done a good job of subverting this.
And they basically don't let the password even enter in the program. They're not entered
into the window. Old versions of PGP, actually, they still
came up. New versions of PGP actually block this now.
So it doesn't broadcast the password out. But most programs
that you get, anything that you get this star, star, star with, you can get the password out by
just snooping the window. And it will give you the password that you
entered. Pretty simplistic, pretty easy, pretty effective. Gets the password out really quick.
So that's that guy. So we're not going to change that.
Now. All right. So, the bad part about file encryption, or any sort of file password
prompt, is that it runs in a multi-threatened tasking environment.
And the other bad part is that the password security is the only, is
only, or I should say the security is only as strong as the password.
Two-factor authentication helps you out a little bit here, because you can't hack at two-factor
authentication. It's, you know, you need a little bit, you need an encryption key,
you need a response. It might change multiple times. There's lots of different
things you can do for this. Yeah.
Pardon? What if you lose your smart card? That's a good question. The answer is that
there's a lot of different things out there that work in an infrastructure, so more than
one person have, has access to your information. There's a couple different systems that are
built to run inside, like, an administrative interface. Whether you are your own backdoor
or administrator, or, you know, somebody else's backdoor, or somebody else's backdoor, or
somebody else's. You could lock it to two smart cards, lock it to something different,
a smart card and a token, or lock it to a, have a fixed password as a backdoor, but have
it, like, 50 characters, something crazy like that, so you don't have to type it in
every time. Rent something randomly generated. Lots of different things.
Okay. So, now on to some different tools that we have to work with on this whole thing.
If we want to get the information off a machine, some of the tools that we have available to
us is sector editors. Sector editor that I'm going to show you today is Norton Utilities
2001 Disk Edit. Works really simply. It's got a lot of nice features in there. It's
got searching. It's got spanning. You can look all over the disk. So, even if you were
in a situation like Norton for your eyes only, which messed up the boot record a little bit,
I could still search for any information I wanted on the disk and take it all off. So,
a confidential document, a PowerPoint.
Anything like that, I could go around it and just zoom right through it. There are
a lot of other sector editors that are available on the market. It's actually not that hard
of a thing to even write a sector editor if you wanted to. The, if you go to a query
on, like, download.com, you'll notice that there's a bunch of them, like WinHex and things
like that that are pretty darn good sector editors. So, let's switch over here and we'll
see just a minute what they do.
This really isn't a hedge pool at all.
That's not, that's a good question. This is ineffective, sector editors are not
effective on things that do encryption on the data. That's correct. You have to tack,
things that do encryption on the data, you would need to tack them through the method
like I was just showing. Where it throws multiple passwords. Or 아, through attacking
them. Through. Actually, I, I shouldn't say that. I shouldn't say this isn't effective.
on things that encrypt the data.
Let me give you an example.
EFS, which is coming up in probably three or four slides.
That's true.
That's true.
Yeah, things that are implemented well,
if they encrypt the data and they implement it well
and they trash all of the old temp files
and they do all that good stuff,
this attack method does not work.
But if they have implemented their encryption of the data
in any dumb sort of way
that they don't encrypt the temp file,
they don't encrypt the page file,
there's lots of different things
that could have information left in them.
Then you can get to all that information
with the sector editor.
Let's take a look at what the sector editor looks like.
Let's see.
Not that guy.
This guy.
Okay, here we go.
Okay, our sector editor.
If we start it up, as I said, I'm going to use the Norton one
just because it's pretty and it shows kind of well,
but there's a lot of other ones.
Oh, yeah, I'm on the wrong drive.
I need to reboot it.
I need to reboot it.
No, I need to reboot it.
Here we go.
Let me boot up onto this boot disk
and enable the disk so I can see all the information on it.
By the way, if you are looking at trying to get information off machines,
a really good utility to make is there's a CD burning program out there
called Roxio, which a lot of you may use.
You'll notice that.
They give you an option to build a bootable CD,
which is really useful if you want to be able to go to a machine
and get anything you want off of it
because you can basically mount 650 megs of tools
to play with and do whatever you want with on that machine,
which is what I'm doing in this particular case.
Okay, disk edit.
So, I'm going to bring this up in a read-only mode,
take a look at my C drive.
You'll notice that in most cases,
disk edit understands even your file system,
so it makes it vastly simplistic.
It sees all my files.
It sees all my directories.
I don't even have to look at this in hex or all those other things.
I can pick up any one of these files and take a look at them.
I'm going to change the view a little bit.
So, we can take a look.
You can look at it as different file systems.
You can look at the partition table.
You can look at the boot record.
You can modify this, guys, however you want.
We can also look at what the information is looking like
on the actual disk and search through it.
Search through it one piece at a time to try to find the data.
So, if we were looking for data on somebody's machine
or something that we lost,
all we have to do is zip through here
and we can have any data that we want off this machine.
And this is reading it at bypassing all security,
file level security, everything.
All we're doing is taking this directly off the sectors of the drive.
Pretty simplistic, but it's pretty powerful.
So, that's what they look like.
I don't know if you guys have had a chance to look at them before.
Let me show you what the partition table and everything looks like.
You can tell what operating system is on the machine
just by booting to it, even if it were protected.
You could tell, even with file encryption,
what type of operating system attack you wanted to do.
If you wanted to plug in a key logger underneath
so you could pick up the keys that were being entered
for authentication to open up a file encryption,
you could do that.
You could tell which partition is being booted from
so you could intercept that and put it in a false boot sector.
You could do pretty much anything you want.
Disk editors are your favorite tool
for taking a look at everything.
You can do that.
You can do anything on that machine.
So, they're pretty comprehensive,
and they really let you have a lot of access to the machine.
Alright.
Again, that one was Norton Utilities,
but you can get a lot of free ones off the internet.
If you wanted to just take a look at your machine,
it's pretty easy.
You can't hurt anything as long as you leave it in read-only mode,
and it's definitely a great tool.
It's a really interesting reading
to figure out how the file system works
and how it's storing information
and how it retrieves it.
And it's definitely important
if you want to try to keep your information secure
from other people getting into it.
Okay, so how does this link up
with the encrypting file system?
Well, the encrypting file system,
EFS by Microsoft,
is a popular topic out there
in government, in companies,
all over the place,
and a lot of people are interested in it.
They're implementing it,
and a lot of people,
it's like PKI was a couple years ago.
You know, everybody thinks,
thought PKI was the end of the universe
and that it was a solution to every security problem.
EFS is what that is now.
Everybody you've talked to in a company,
they're all, EFS is unbelievable.
You can protect against it,
but really there's a lot of attacks against EFS,
most of which you've probably read about on the internet.
NT BugTrack has got a lot of good stuff.
There's a lot of good stuff about it.
Microsoft themselves in that URL
that I started off with there,
they talk a lot about all the different attack methods
that have been used against EFS
and are all successful.
And that's why they basically said that thing about
if you have physical access to the machine,
there's no way that they can prevent you
from having access to it
because they don't have a way to secure EFS right now.
One of the,
one of the two,
two main ways that EFS stinks
is if you encrypt information quite often,
unless you're creating information in an encrypted directory
and leaving it in an encrypted directory,
it's got a big problem with temp files.
I don't know if any of you have seen it,
played with it,
or tried it,
but if you were to actually look for a temp file,
you encrypt a Word document,
you encrypt an Excel file,
you encrypt a PowerPoint presentation,
something like that,
you would find that,
the temp files for that file,
when you move it into an encrypted directory,
still exist.
And you can read all the information fully encrypted.
So you actually get two copies of your data,
one encrypted,
one non-encrypted,
the unencrypted one fully accessible,
you can read it anytime you want,
and the encrypted one with your certificate encryption.
Now the other really interesting way,
and I almost thought about demoing it today,
but it takes a lot of switching,
and you can see how interesting the switch,
switching already works out to be switching between multiple computers,
is the recovery agent attack.
And most of you must have already read about this.
When you set up EFS originally,
EFS by default sets your local administrator to be,
if the machine is not part of an active directory domain,
sets your local administrator to be the recovery agent.
What the recovery agent is,
is the person that is able to save you if you screw yourself
by forgetting your password,
it's a password backup utility.
And most programs that encrypt data have this sort of thought built in,
so basically if you mess yourself up,
you have somebody you can go cry to,
or either an administrator you can cry to,
or your own backdoor that you put into the encryption when you set it up,
so you can get your data back if you forget your password,
or you forget your authentication scheme.
But basically,
the bad thing about local administrator becoming the recovery agent,
is I don't know how many of you have ever played with a utility called Loafcrack,
but it's pretty easy to get local administrator.
Any way from bringing up into NTFS DOS,
and taking the SAM file,
and hacking the SAM file,
so you can log in as administrator,
to just deleting the SAM file entirely,
which is a lot of work,
which I'm sure some of you know,
if you delete the SAM file entirely,
Windows has to recreate it in order to be able to start up again.
So you end up with an administrator with a blank password,
that is the recovery agent,
and the local administrator,
so you have access to all the files.
So if you have physical access to the machine,
you can get anything you want.
Other bad thing about EFS,
is that it has,
you know, the regular,
the regular baggage that comes with PKI.
Now there's a lot of people that are really hot on PKI.
I think PKI has its place particularly in things like email,
and exchanges,
and things of that sort.
But I don't really think that it's good for encryption,
general encryption of sitting data.
And one of those problems,
one of those reasons is certificate theft.
One of the big problems with storing information
in companies,
in your house,
in anywhere,
is that the people that are likely to get attacked,
to attack it is not,
you know,
some foreign government or something like that.
It's more likely somebody that knows something
about the computer,
somebody that knows something about you,
has done research about you,
or your mom,
or something like that, you know.
Somebody that knows something about you,
can make guesses about your password,
or knows your machine,
and they may,
can get physical access to your machine.
Well, if they can get physical access to your machine,
they can steal your certificate.
Now, certificates are,
somebody's gonna raise their hand in two seconds and say,
yes, certificates are protected.
But they're not protected very well.
There's a lot of different ways out there
to get the pins off certificates,
lots of different ways to attack certificates.
As soon as you own the certificate,
you own all the data.
You can do two things.
First thing, you can decrypt anything you want.
And second thing, you can pose as anybody you want.
And if you can pose as anybody you want,
with a certificate,
I mean, as far as a certificate goes,
if you're using a certificate as authentication,
then there's not much purpose to it.
So, EFS has a lot of flaws in it,
and it's not really generally very secure.
So, how do we attack a machine before it started?
Oh, I'm sorry, it's cut off a little bit at the top there.
How can I attack a machine before it starts?
Well, I think I've showed you a couple different ways.
You can steal the hard drive.
You can boot from a boot disk.
You can see whatever information you want.
You can play with NTFS DOS,
which a lot of you have definitely played with.
NTFS DOS lets you mount anything that's NTFS
from a Windows NT or a 2000 machine in DOS,
look at it, read, write it, edit it,
do whatever you need to do.
NT Locksmith, another product from the same company,
lets you, basically, rewrite things.
Write the SAM hashes so you can inject your own account.
There's also some more interesting things
as we get down to its bottom.
Lovecrack, everybody knows about.
Lets you do the NTLM hashes.
Basically, try to decipher passwords
out of your SAM database.
Then, of course, there's the new hot topic for hackers,
which is actor directory injection.
Basically, I can inject any data I want to
in an active directory with no way of tracing it
or taking it out or anything like that.
There's a lot of companies now that are basing their security,
their mail systems, their everything on active directory.
They're trying to move everything into running off that system.
There's really no way that they can prevent you
from injecting your own email accounts.
Brian Glancy at whitehouse.gov, for example.
You can inject whatever you want into the system
if you have physical access.
All these attacks occur by using an alternative operating system
against the machine.
You boot up into DOS,
you boot up into another operating system, Linux,
or something like that,
and then you attack the operating system
when it's not in its started up state.
It's very, very hard to prevent.
Only real way to prevent it is to maybe, either,
encrypt all the information on the machine beginning to end or have I know
there's some military installations that have hardware encryption basically
encrypting cards that encrypt all the data on the drive and basically if you
don't have that card you can't get the data off the drive there's a couple
different installations floppy locks exactly here the tools from sister
sister colonel so you should take a look at if you're interested in the doing
this sort of thing NTFS DOS does what I just talked about it lets you mount NTFS
read write from a floppy disk so you could do anything you want to to empty
system whether it is take the SAM whether it's take the files off there
whether it's try to defeat EFS by deleting the SAM and restarting the
recovery agent whether it's in injection into active directory so basically with
this type of attack and NTFS DOS
you know if you need if you had physical access to a server for any
company you could inject anything you wanted from you know your own email
account to your own bank account if it were a bank to whatever you wanted if
you have physical access that machine you can inject into the system NT
locksmith just a utility that lets you reset inject accounts into SAM pretty
simplistic all it does is reset the hashes to known
value
that way you can you know the password for administrator all of a sudden works
like charm for every system you basically just boot up from it and you
run it and then on the system on the target system and then all of a sudden
boom you've got root you've got system administrator access
what that's a good question yes the quote the question was that NT locksmith
requires an ERD and NTFS DOS requires two machines NTFS DOS requires that you
had made the disk in advance I've made these I made the floppies my NTFS DOS
floppies I don't know six months ago I carry them around with me whenever I
need them I just pop my machine so I had to have a machine sometime in order to
create the NTFS DOS floppies I don't need anything else I just stick them in
there and then boom I got it now regarding regarding the question about
anti locksmith it does require an ERD in some circumstances but there's some
there they have some advanced options that you can do to work around it even
if you don't have the ERD Lovecrack we've probably all played with it easy
fun fast it'll basically doesn't fail it's got a
lot of different ways for you to hack all of the passwords
inside an NT system, an NT domain.
You can take down, either just take the SAM file,
crack it offline, which is nice and safe
because you don't have to worry about sitting at a desk
inside a company or something like that,
or wherever you may be,
and taking all the files off there.
Or the other thing you could, of course, do
is you could sit it down at that computer,
put it in, and run it inside Windows
and run it real time.
Everybody's probably seen it.
Works really simplistically.
Dumps all your passwords,
and then it cracks them all one at a time.
Works very quickly.
Pardon?
That's right.
Exactly.
John the Ripper, so you don't have to pay.
There's a lot of utilities like this.
I usually use Loft.
You're right.
You do have to pay for Loft.
You could use it for 30 days for free.
So anyway.
Anyway.
And by the way, if you start playing,
when I'm playing with a SAM file,
the SAM file moved, just so everybody knows.
SAM file used to be in system root on NT4.
Now it's in system32 config.
SAM file's still in there.
Great.
So, I have a section in here on how hard drives work.
I think we've already covered a lot of this.
At the low level, hard drives are just ones and zeros.
All the information that we place on it, all the different file systems, operating systems, and everything are just manifestations of that.
Every time we look at a sector editor, you usually look at those things in hex.
The hex is just a higher level interpretation of that binary that's being written on that disk.
So it's very hard to protect the information that you're writing down to that disk unless you encrypt it at the low level
or you were to do the floppy lock like we were talking about or protect the authentication against that.
On the low level of these machines, they include partitions.
The partitions are just basically logical drives.
Everybody knows this.
It's just the master boot record, which has a record of all the information, the partitions that are on this disk,
how they start, where they go, how big they are, all that good stuff.
When you pick it up, you can take a look at it in disk edit and a lot of other utilities, too.
Basically, you could see where your partitions are.
You could resize it.
Things like partition magic, this is where they play.
All they do is change the numbers in there.
All they do is resize.
You can resize the beginning and end sectors, beginning and end cylinders to change the size of your drive.
It's pretty simplistic stuff.
The next part of the whole story is your boot sector, of course, which is where you actually get into your operating system.
The master boot record, as I mentioned before, contains a marker for active.
It's a single bit, actually.
A marker for active partition.
The active partition is the partition that you want to boot from.
All it does is repeat the same process that it did for the master boot record.
Actually, I have it up here on the screen.
The same process that it went through for the master boot record reads that information into memory and executes it.
It reads the beginning 446 bytes off that drive and then executes that program.
If that program were you, it would execute you.
If it were a boot locker, it would execute the boot locker.
If you had a boot locker on it and you wanted to boot it, you would execute it.
If you had a boot locker on it and you wanted to execute you, all you do is replace it with a regular Windows 95 boot sector and you're fine.
Basically, all the boot sector does is point to the operating system that you're going to load and say,
dump to win NT or dump to NT loader, dump to command.com.
That's all it really does.
Examples of secure authentication.
One of the ways to mitigate all this stuff is to figure out a good way to authenticate yourself.
There's some cheap ways and there's some expensive ways.
Expensive ways include things like biometrics, even though they're getting cheaper.
There's a lot of really good ones that you guys may or may not have played with.
There's a lot of cheap fingerprint readers.
There's actually some good new ones that are PCMCI cards that pop out right outside of your machine.
Some really good stuff out there.
Other forms of two-factor authentication that are less expensive include USB tokens.
People that make these are like Aladdin and Rainbow.
They make very cheap authentication tokens that have an encryption algorithm built into them.
Basically, you put this USB token on your key ring.
You carry it around with you.
If somebody turns on your computer when you're gone and they don't have that key in there,
it's not going to read any of the information off there.
They're actually quite strongly encrypted.
They give you...
There's...
They're really hard to attack.
So if you have information on your machine that you don't want people to be able to get to,
this is a good way to protect it.
There are also smart cards out there.
A lot of people make smart cards.
They're a little bit more expensive because you've got to invest in a reader.
A little bit of a pain in the butt.
But they're not bad.
Challenge and response tokens.
There's a lot of different people that also make something.
There's a standard for it, X9.9.
Challenge and response tokens.
They basically are tokens that have a little encryption algorithm built into them.
And basically, the computer knows the encryption algorithm and the card does.
And it generates a challenge and response that goes back and forth between you and the computer
in order for you to authenticate yourself.
If you miss it, you don't get into the computer.
So this is another good method.
And it's really a good one.
All these different ones are really good if you want to be able to maintain control of your information even when you're gone.
Somebody comes and tries to get the information.
You've got the physical token.
And they've got to say, give me that physical token before I get out.
